MATT LAUER, co-host: 7:43 now and this morning on our special series SCAM ALERT: IDENTITY THEFT, we're talking about phishing. You open your email every day figuring you'd recognize a fake or a lure if you saw one, but scammers could be reeling in your personal information just by asking you for it. Here's NBC's Kevin Tibbles.

KEVIN TIBBLES reporting: We've all see the advertisements, a campaign to raise awareness and fight a crime sweeping the nation--identity theft. It resulted in an estimated $56.6 billion in losses just last year alone. And financial institutions hired Jim Stickley and his company, TraceSecurity, to test their customers' vulnerability to it.

Mr. JIM STICKLEY (TraceSecurity): Let's take the financial institutions, it costs them truckloads if their members or their customers fall victim to these types of scams. On the other hand, if they can bring us in ahead of time, then the problem's solved.

TIBBLES: That's exactly what one company, Numerica Credit Union in Spokane, Washington, is trying to do.

Mr. KELLEY FERGUSON (Assistant VP, Numerica Credit Union): Going proactive for Numerica means educating our members and not having to be reactive to these types of scams.

TIBBLES: It's just another day in the office for Jim, but his assignment is anything but ordinary. He is conducting an unscientific experiment to see if customers are savvy to this common scam.

Mr. STICKLEY: Phishing is when somebody's requesting information from you and that either your name and your password or some other confidential information, and they're generally doing it under the guise of being something you trust or already have a relationship with, like your bank, something like that.

TIBBLES: They don't call it phishing for nothing, and what the thieves are trying to reel in is your identity and all the vital information that goes along with it, including your bank account.

The test was simple. Numerica provided TraceSecurity with 10 customers that are friends or family of employees. Jim then drafted a letter asking for verification of their account, claiming Numerica is following new security precautions.

Mr. FERGUSON: They formulated what looked to be very valid type of letterhead, although it did not match our letterhead, but it looked real enough and good enough that it could have came from any financial institution.

Mr. STICKLEY: We're asking for Social Security number, driver's license number, name, address, mother's maiden name, I mean everything that makes you who you are and validates who you are is information that we're asking for.

TIBBLES: He created a fictitious Web site, almost exactly like Numerica's actual site with only a slightly different Web address and an additional link called account verification.

Mr. STICKLEY: If people give this information, I mean we can ruin their lives, or at least make it extremely miserable.

Mr. FERGUSON: Best case scenario is nobody responds, everyone comes into Numerica, lets us know that, 'Hey, we're being phished.'

TIBBLES: But the next day a response form was sent in, a customer revealing her Social Security number, address, even her bank account number.

Unidentified Woman (Numerica Customer): Well, I went to Numerica's Web site first and the place where I was supposed to fill it out at was not there, and so I re-read the letter and it said to go to a different Web site, but it was enough like Numerica's Web site that I thought, 'Well, they must have set this up for something special,' so I filled out the information. They would have everything. I mean they could be me.

TIBBLES: Of the 10 letters sent out, three Numerica customers were suspicious of the letter and did report it. The other six did not respond, but even one victim like Kelly is enough to make a crook's efforts worth while.

Mr. FERGUSON: You can do such a mass distribution of these types of scams so quickly. Even 1 percent success rate could mean all kinds of profits for the scammers.

Unidentified Woman: It can happen to you, and it probably will happen to you because I grew up in an age where I'm very trusting of people, and so even in this day and age I still find myself being trusting.

TIBBLES: For TODAY, Kevin Tibbles, NBC News, Chicago.

LAUER: Jim Stickley from Trace Security has more on what to do and what to watch out for.

Hey, Jim, good morning. Let me just start by saying you had your identity stolen six years ago.

Mr. STICKLEY: I did. I did. I had somebody create a phony account underneath my particular ID and they charged it up and went crazy on it and, of course, never paid it off.

LAUER: When we talk about these Web sites or phone calls or letters that ask for personal information, the rule is a bank will never, ever--or credit card company--ask for that, correct?

Mr. STICKLEY: Yeah. If they're sending out a letter to you, a bank should never ask for the types of things that we were asking for. There is a situation, I mean, for example, you get those pre-approved credit card statements in the mail, in those cases they may ask for some confidential information and that's kind of what makes it so difficult.

LAUER: If you're suspicious, get an email, looks official, if you get a letter, it looks official and you're suspicious, isn't the best rule always err on the side of caution and either don't respond or call the bank?

Mr. STICKLEY: Yeah. And I mean, I prefer call the bank. Let them know you received this because you're not going to upset them. If it's real, they're going to say it's real and you're going to be happy. If it's not, you're letting them know so they in turn can let a lot of other people know and stop it from really propagating out.

LAUER: We looked at that Web site that you created, what's the best way for a consumer to look at a Web site and get the hint as to whether it's real or not real?

Mr. STICKLEY: Oh God. I mean first thing look and make sure it's got the little security certificate, which is https in the upper left-hand side, the little lock in the bottom corner, that's a good sign that you're on the right page. Not a hundred percent. Also, the actual domain name you went to, in this case it was Numerica's, you can look at your ATM card and almost always they're going to have what their domain is, www.xyz or whatever.

LAUER: And if it's even slightly different?

Mr. STICKLEY: Don't go there.

LAUER: All right. And by the way, talk about the average--this is a statistic that was starling me, the average person who has an identity stolen, it takes 600 hours to sort things out.

Mr. STICKLEY: Yeah, it's a long time. It took me over two years to get mine cleaned up.

LAUER: So better safe than sorry.

Mr. STICKLEY: Absolutely.

LAUER: Don't respond. Jim Stickley, thanks so much.

Mr. STICKLEY: Thank you.